Before you create a TCP service chain
classifier rule, you must create one or more service chains.
Service chain classifier
rules determine which service chains receive traffic. Each service chain
classifier rule you choose selects the specific chain to process ingress connections.
Different classifier rules can send connections to the same chain. Each classifier has
three filters that match the source IP address, the destination, and the application
protocol. Filters can also overlap, so the best matching classifier determines the
service chain for a specific connection, and classifiers can reject a connection or
allow it to bypass the service chain. In addition, you can also choose to send decrypted
or non-decrypted traffic to the inspection devices.
Note: When configuring a single device
Herculon SSL Orchestrator transparent proxy in front of an explicit proxy, Herculon
SSL Orchestrator can transparently intercept SSL traffic tunneled through an
explicit proxy and selectively forward the decrypted user traffic through the
security service chain for proper inspections. Afterwards, the user traffic is sent
back to the BIG-IP, which re-encrypts the traffic and sends to the explicit proxy.
User traffic of certain categories may also be rejected by the BIG-IP or bypass the
security inspections.
Note: When transparently decrypting traffic to upstream
explicit proxies in a two device Herculon SSL Orchestrator deployment, the SSL
forward proxy interception only occurs on the ingress device (decryption, service
chaining, and re-encryption occur on the ingress device, while the encrypted
plaintext traffic will pass through the egress device). In addition, all classifier
rules apply to traffic inside HTTP CONNECT tunnels except for rules bypassing SSL
during the TLS handshake phase. Rules bypassing SSL during the TLS handshake phase
do not apply because SSL forward proxy cannot reuse the same HTTP CONNECT tunnel to
the explicit proxy for the bypassed flow.
You have now created a TCP service
chain classifier rule.